[00:38.340 --> 00:44.160]  Welcome to When TLS Hacks You. Josh, thanks so much for joining us today for Q&A.
[00:44.160 --> 00:47.020]  And I was wondering if you would mind introducing yourself to everyone.
[00:47.600 --> 00:55.360]  Hi, I'm Josh. I work at a lot of Quora. And yeah, this is my second Black Hat Talk.
[00:55.820 --> 00:59.100]  Which you'll see in a second. Thanks everyone for watching.
[00:59.740 --> 01:01.200]  Thanks for being here.
[01:01.200 --> 01:06.840]  Yeah, we were talking a little bit earlier about what inspired you to kind of get into this and, you know, write about it.
[01:06.840 --> 01:09.200]  I was wondering if you might be willing to share with everyone.
[01:09.820 --> 01:14.500]  Oh, yeah. So it was last year with Apple Pay.
[01:15.220 --> 01:22.560]  We just covered a lot of SRF vulnerabilities and, you know, different ways of exploiting them.
[01:22.940 --> 01:28.700]  They weren't super obvious internal endpoints to hit. So that's what we'll be diving into here.
[01:29.180 --> 01:35.380]  You kind of mentioned Let's Encrypt when we were talking about that. Is that too much to go into?
[01:36.240 --> 01:45.500]  Yeah. So just during exploring this, I ended up needing to create a fair amount of SSL certificates.
[01:46.940 --> 01:53.200]  And that's where I was really glad that Let's Encrypt was around just in time for me to start doing this research.
[01:56.100 --> 02:05.060]  Just because, you know, anytime I wanted to create a cert, I could do it for free. It's really handy.
[02:07.060 --> 02:10.140]  I see the questions coming in already.
[02:10.740 --> 02:18.760]  The first one was, I'm a bit confused about how you go from caching the TLS session ID in memcache to SSRF.
[02:19.920 --> 02:20.940]  Okay.
[02:22.240 --> 02:25.600]  So I guess maybe where the confusion might be is
[02:27.340 --> 02:29.760]  caching the TLS session ID.
[02:30.480 --> 02:33.160]  The TLS session ID gets cached
[02:34.000 --> 02:41.640]  on the victim server that I'm attacking with SSRF. So when the victim server makes a first request, it
[02:42.780 --> 02:57.020]  picks up this TLS session ID. And then when I send the same URL on the next request, it's going to send that session ID to itself. And of course, because it's sending a TLS packet to itself on memcache, it's going to be a bunch of
[02:59.920 --> 03:06.940]  binary data in with it, as well as a memcache insert. And because memcache is so permissive,
[03:06.940 --> 03:07.520]  it will actually
[03:12.180 --> 03:18.740]  parse that memcache insert as long as it's delimited with new lines, even though it's sandwiched between a bunch of binary data.
[03:20.140 --> 03:24.880]  Can you go just a little bit further on this? Because it seems to be an area that people are curious about.
[03:24.880 --> 03:32.700]  Because the next question is, how did you get the vulnerable server to use TLS session ID ticket as a body of the SMTP request?
[03:33.400 --> 03:34.200]  Right.
[03:35.240 --> 03:39.560]  So maybe it helps to step back and
[03:43.340 --> 03:53.080]  kind of revisit the just kind of the SRF trigger for this. Is that, you know, say for a practical example,
[03:54.060 --> 03:58.940]  let's see, say you're, you know, wanting GitHub to notify you.
[03:59.600 --> 04:06.100]  You know, usually it'd be on a Slack channel, but GitHub would notify you of commits to your repo.
[04:06.220 --> 04:08.300]  But GitHub provides a URL field
[04:09.940 --> 04:15.080]  that you can say, like, anytime someone commits to my repo, post to this URL.
[04:15.860 --> 04:17.300]  So with SRF, people have
[04:19.280 --> 04:25.060]  discovered that, you know, if you can enter a URL and a website hits it, that can be dangerous.
[04:26.480 --> 04:33.020]  So, and where this gets to, you know, actually persisting stuff on GitHub,
[04:33.020 --> 04:42.120]  even though I haven't attacked GitHub, but where it gets to actually persisting stuff on GitHub and getting GitHub to send what it persists into itself is
[04:44.220 --> 04:52.920]  it's where I send one request, GitHub follows a redirect on that request several times, and then
[04:54.120 --> 04:58.140]  after the redirects, the DNS entry is expired and
[04:59.580 --> 05:05.880]  you know, GitHub posts the section ID, which the DNS entry now resolves to itself
[05:07.620 --> 05:10.900]  and onto some local port.
[05:11.780 --> 05:13.860]  So it was clear.
[05:15.780 --> 05:18.100]  Let me look back at the question.
[05:18.860 --> 05:23.160]  No problem, I can ask it again if you want, but I know we kind of put you on the question there.
[05:23.360 --> 05:32.120]  Most of them just asked me about how you're getting whatever, you know, whether it be SMTP or memcache to actually interact or to bring in DSL.
[05:32.160 --> 05:32.840]  Yeah.
[05:34.460 --> 05:39.320]  Actually, something I just realized about this that might be helpful way to frame it is that this is
[05:39.900 --> 05:46.680]  this is a second order attack, and that, you know, if you're familiar with or want to dig deeper,
[05:46.680 --> 05:48.120]  anyone watching can look up
[05:49.360 --> 05:50.480]  second order
[05:51.300 --> 05:53.120]  SQL injection attacks,
[05:53.680 --> 05:59.020]  which are kind of the same sort of thing where you like send, you know, one attack
[06:00.420 --> 06:12.780]  to, you know, get the server into some state to where you can send the same URL or a different URL again and then actually get the attack to happen based upon that second,
[06:13.840 --> 06:15.760]  just the second thing that you launch.
[06:17.860 --> 06:18.940]  Cool.
[06:21.100 --> 06:22.480]  I'm sorry.
[06:22.760 --> 06:24.380]  You're doing great.
[06:25.180 --> 06:41.320]  So we can also ask Nate Brady's question from the Discord. He wants to know, he said, you mentioned in your talk that MySQL and Postgres might be susceptible services. What's behind that? And when looking at other services, what are the main things to look for?
[06:42.220 --> 06:44.120]  Oh, right. That's a good question.
[06:45.320 --> 06:50.100]  So this is actually where I'm really curious to see other people take this further.
[06:51.000 --> 07:02.180]  Is that, you know, what I have here is the ability to get a server to send, you know, with a really flexible manner, binary data to itself that I control, right?
[07:04.000 --> 07:06.740]  Now, the difficulty with
[07:08.880 --> 07:19.980]  attacking stuff like MySQL and Postgres is that they're binary protocols. And, you know, a lot of times, at least as far as I've seen, a valid TLS packet is not going to be
[07:21.800 --> 07:23.800]  it's not going to function as a valid MySQL
[07:25.480 --> 07:45.800]  you know, insert, you know, something that's going to trigger an insert. But the area where I'm really curious to see if anyone could go with, could do some like memory corruption or, you know, other areas that I'm, I'm definitely not great at like memory corruption vulnerabilities, but I'm really, really curious to see if people can actually take this more in that direction.
[07:46.540 --> 07:47.420]  Cool.
[07:47.980 --> 07:49.800]  Let's see. Go ahead.
[07:49.800 --> 07:55.560]  On that point, is there a list of, you know, prerequisite conditions for this attack to be successful?
[08:00.900 --> 08:03.780]  So I guess the big point there is
[08:06.360 --> 08:10.800]  probably the most helpful thing is the, there's a triple Venn diagram I have maybe
[08:11.840 --> 08:14.020]  it's two thirds of the way through the talk.
[08:14.980 --> 08:17.120]  And I believe the slides are posted.
[08:18.780 --> 08:27.760]  But it's the three of those together are effectively the prerequisite. So you need to have a something that looks like SSRF.
[08:28.640 --> 08:35.880]  Sometimes in the case of like Flum Demo where I'm phishing people, it's actually CSRF, but in that case, it's, you know,
[08:36.420 --> 08:44.040]  it's a little bit weird, but just restricting to SRF, you know, you need to be able to send a server a URL and it needs to hit that URL.
[08:44.820 --> 08:58.140]  You actually with these, it's flexible enough that you don't care about like, you know, content type restrictions. You don't care server only except PNGs, stuff like that. You just need some, you need that precondition.
[08:58.140 --> 09:03.640]  You also need whatever the server is using to send the URL to be something that caches TLS sessions.
[09:04.300 --> 09:09.820]  So like, I don't believe like Python currently caches TLS sessions.
[09:11.520 --> 09:23.020]  And there are other, I think Go, most Go stuff doesn't cache TLS sessions either, or at least, yeah, I think there's an open ticket in Go to actually do this, at which point you will be able to attack Go stuff.
[09:24.640 --> 09:37.920]  But, and then the third one is that whatever you're attacking has to have some locally authenticated service. And so the reason I pick on memcached particularly a lot is just that
[09:38.960 --> 09:44.060]  It's so common to be to have memcached sitting on a server locally unauthenticated.
[09:46.760 --> 09:48.010]  So, but there's
[09:49.980 --> 09:50.860]  See there's
[09:52.360 --> 10:05.000]  There's also, there's like a table in the talk. And I actually, I'd also be curious to see what locally unauthenticated services, you know, people are using to do srf attacks.
[10:05.460 --> 10:16.620]  Awesome. Yeah, I remember in your talk, I think you had a slide on a whole bunch of the different srf examples and you might have even had them ranked. I think the
[10:17.480 --> 10:24.820]  memcached one you had like RCE next to it all the way down to some others. And there's often only just like so much room that you can put on there.
[10:24.880 --> 10:34.640]  Are there like, do you think there's a lot more vectors or areas that would be vulnerable to this type of attack that other people might potentially be able to find?
[10:35.960 --> 10:37.840]  I do think so.
[10:38.360 --> 10:46.380]  And actually, one thing that I thought I thought about exploring. I really wanted to get like a demo like this in time for the presentation would be
[10:49.600 --> 10:57.460]  Finding some webcam that has like a telnet port open, right, which that has happened in the past.
[10:58.000 --> 11:03.640]  And then, you know, having the phishing demo then get like a shell on that webcam or something like that.
[11:04.480 --> 11:16.040]  The catch with that is that I couldn't find any webcams right now that have like that bad of a vulnerability. Probably just, I mean, there probably are, but I haven't had the time to
[11:16.840 --> 11:19.880]  To order them all and explore them.
[11:22.760 --> 11:33.140]  We have the next question, which is, you mentioned that using Mozilla within the right parameters instead of Chrome would be preferable to protect you. What was Chrome's reason for not addressing this?
[11:33.960 --> 11:35.180]  Um,
[11:36.380 --> 11:37.760]  So I think
[11:40.400 --> 11:41.440]  See,
[11:48.310 --> 11:49.160]  I think really
[11:49.160 --> 11:53.060]  It seems to boil down to severity.
[11:53.440 --> 11:56.620]  I don't want to gossip too much about Chrome.
[11:57.640 --> 11:58.960]  I think
[11:59.480 --> 12:11.440]  And to some extent, Chrome also has other DNS rebinding approaches. So, for example, you know, if you're phishing someone and you get them to click a link right
[12:13.720 --> 12:22.280]  That in that case, if you get something to load up someone to load a fully malicious page. I think there are still existing DNS rebinding approaches.
[12:22.280 --> 12:30.060]  I think, you know, whereas here for for Chrome specifically I'm just adding the ability to
[12:31.480 --> 12:34.900]  If someone's doing an email and doesn't click a link.
[12:36.400 --> 12:40.860]  Then, you know, I can still attack them by using TLS and image tags.
[12:42.240 --> 12:43.340]  And actually
[12:43.340 --> 12:53.700]  I don't know if I got into it in this talk, but the reason Mozilla is actually so Mozilla allows you to disable TLS session IDs.
[12:55.420 --> 13:06.840]  Mozilla has kind of a quirk where it caches by IP address instead of domain, which is, it's kind of, in a way, it's a bug, but I don't think it's really a serious one.
[13:06.840 --> 13:15.940]  Like it's not consistent with the implementation, but it actually makes Mozilla safer or Firefox safer by default against this stuff.
[13:18.860 --> 13:29.740]  So how was your experience with reporting the vulnerabilities that you found? What kind of feedback did you get? Was it a good experience? Bad experience? Mixed all across the board? How was that?
[13:30.220 --> 13:33.140]  I'd say it was kind of mixed, especially at first.
[13:34.260 --> 13:35.020]  But I think
[13:36.080 --> 13:46.580]  what kind of helped with that is kind of reframing this as, you know, this really like when you report this stuff like Chrome or like Girl or someone that's like, you know, even though it's like
[13:47.160 --> 13:58.900]  that software that's making the vulnerability happen, right, it is ultimately like this is just kind of a consequence of the way TLS, you know, is standardized, right.
[13:59.780 --> 14:05.000]  And so, you know, even though there definitely are potential fixes, you know,
[14:05.020 --> 14:18.940]  like, I think I can definitely understand why people are not rushing to try to like diverge from the spec in order to like address this particular attack.
[14:22.330 --> 14:26.730]  Is there a way on the DNS side to be able to protect yourself from this?
[14:28.170 --> 14:28.970]  Yes.
[14:30.310 --> 14:32.730]  So there's an interesting...
[14:35.390 --> 14:40.950]  Like in the past there have been, you know, of course, like DNS rebinding attacks as a whole are not new.
[14:41.810 --> 14:46.150]  The only thing that's new here is DNS rebinding with TLS, right.
[14:48.350 --> 15:05.910]  So in the past, just in order to address DNS rebinding over like HTTP, I believe like PFSense and like I think there's like a plugin for like if you have a Raspberry Pi like Pi hole.
[15:07.450 --> 15:11.370]  Or I think it might be built into like DNS mask and stuff.
[15:11.370 --> 15:23.450]  To where if they, I think if they like sense a domain name getting resolved to something publicly and then later it's getting resolved to like localhost.
[15:24.710 --> 15:32.410]  These plugins will detect that and, you know, I think either like block it or just, you know, do something to protect you from it.
[15:32.410 --> 15:35.730]  So I do think those would also protect from the TLS variant of this.
[15:35.730 --> 15:43.530]  Although the caveat with that is that even though that's something you could theoretically roll out on like every network, I don't think it's...
[15:43.530 --> 15:49.890]  I think there are some like instances where it would be a breaking change on a network.
[15:50.190 --> 15:53.210]  So it's a little bit complicated to roll out in that respect.
[15:54.050 --> 15:55.010]  Excellent.
[15:56.050 --> 16:09.030]  Nate Brady wants to know, when you have a second order blind SSRF attack like this, how do you know if you've successfully poisoned something like memcached and when would you report it?
[16:09.030 --> 16:25.370]  Um, so yeah, this is actually, this is one area where it gets difficult is, you know, a lot of the stuff I've, I've really mainly focused on open source stuff.
[16:25.370 --> 16:36.510]  Um, you know, so in that case, like I can prove out locally the, whether I've inserted something in the memcached and then, you know, just report it and it's like, it's a substrate.
[16:36.790 --> 16:42.790]  It does get more difficult if you don't have that level of transparency onto something you're attacking.
[16:43.130 --> 16:50.670]  Um, I think the way that I've, you know, kind of, I've had a few attempts at this.
[16:50.670 --> 17:03.830]  Um, it's the first, you know, port scan, right? Or like first, you know, you can do like internal port scanning by SSRF and lots of people do that and it's not a super serious vulnerability, right?
[17:04.950 --> 17:13.870]  Um, aside from, you know, launching on other things. So some people, what they do is, you know, what you could do is you could port scan by SSRF.
[17:13.870 --> 17:20.110]  Discover that port 11201 or like 205, that something like that is like open.
[17:20.850 --> 17:31.310]  Um, and then what I've thought about doing is just like, you know, if I, if I see that, right, you know, I can trigger an insert, right? And say like,
[17:31.310 --> 17:40.770]  Hi, this is Josh in the memcached, right? And then submit it and it'll be like, you know, if you see this entry in your memcached, then, you know, this is really bad.
[17:40.770 --> 17:53.210]  Um, you could also try to just spray like Python to your serialization payloads, like, um, because, you know, just because of how big TLS sessions can be.
[17:53.210 --> 18:02.590]  You could put like, you know, hundreds or thousands of payloads in there and just hope that one of them, one of them will like get deserialized and execute.
[18:02.590 --> 18:14.470]  Um, and then, you know, another way is, I don't know if I'd recommend this necessarily, but is just trying the DDoS or not DDoS, but just like denial of service angle.
[18:15.530 --> 18:28.170]  Where memcached does have a flush all command. So if you were to try this attack and get memcached to flush all and suddenly you see the site like, you know, starting to take one time to load pages, then
[18:29.530 --> 18:34.690]  you know, that's one way you could have evidence that this is actually happening against memcached.
[18:35.990 --> 18:46.370]  It seems like you're still delving into this and, you know, learning more, but we're being asked is, are you working on this type of attack with anything else? For example, you know, cross-site forgery requests.
[18:46.450 --> 18:50.170]  Sorry, I said that one wrong. Cross-site request forgery.
[18:50.170 --> 19:14.350]  Right. Um, so I think the thing with CSRF, um, well specifically with TLS for mining, right, is, uh, the, um, you know, really it kind of, it's something that practically you, you want to send from like, you know, you want to send from like a phishing URL. Right.
[19:14.350 --> 19:44.130]  Um, and because kind of the, really in most cases, the, where this happens is just Chrome and where it can be printed as Chrome. Right. Um, there's not a whole lot of depth to go, go here with just CSRF attacks. Um, although, um, in a way, like another avenue of exploiting this on Chrome is to do, uh, is to, if you have an excess in like a PDF
[19:44.350 --> 20:11.470]  generator, um, like there was a talk last year at, uh, I think DEF CON, um, uh, about, uh, about PDF generators getting like SSRC in those. Um, and that's kind of a CSRF angle, even though it's on a server, it's like Chrome. Um, so that's, that is one angle is like, if you have a PDF renderer that's running, you know, and it can access.
[20:11.990 --> 20:20.470]  Like an instance or like a mail instance or something like that. Um, that's, that's kind of a CSRF attack that you could explore.
[20:21.170 --> 20:36.230]  Cool. Um, I think you mentioned before that last year at DEF CON, you presented on SSRF and then this year you have this presentation. Where do you think that you're going to go from here? What's next for you?
[20:36.230 --> 20:44.670]  I'm guessing you probably already have some ideas of things that you want to look into. Is there some kind of next thing in this area or are you going in a completely different direction next?
[20:45.310 --> 20:54.190]  Um, oh man, let's see. I have different directions. Um, let's see.
[20:55.350 --> 21:11.070]  Or also, are there other things based on what you found that you want other people to look into that you figured? I didn't quite get a chance to go as far as I wanted to with this yet. And if somebody else is interested, they could kind of jump onto your work as well.
[21:11.490 --> 21:15.210]  Right, right. Just trying to figure out how, how much I want to delve into detail.
[21:15.410 --> 21:17.590]  Sure. Don't want to reveal too much.
[21:20.070 --> 21:45.250]  The second part of that question I like because there's definitely here for stuff here where I've kind of like been like, okay, this is, I've been spent so much time trying to like DNS rebind or TLS rebind stuff that I don't want to delve too deeply and I just kind of, to some extent, I look forward to like seeing people find and write up further vulnerabilities in this space.
[21:45.250 --> 21:55.410]  So definitely like, you know, stuff where you're targeting something with memory corruption payloads, that would be really interesting to see this like change with that.
[21:55.410 --> 22:20.590]  Because in the past, like, I think an orange size talk in like 2017, a new era of SRF, right? He had some really interesting vulnerability chains with SRF there. So doing something, you know, now that we can effectively have, you know, HTTPS URLs that act as go for payloads, right, you know, we can kind of like revive that line of research a bit.
[22:21.410 --> 22:24.170]  And then also, like,
[22:25.010 --> 22:37.270]  so there are a lot of SRF vulnerabilities out there that, you know, have been reported and written up, right, and been, you know, like, at least assumed to be fixed.
[22:38.510 --> 22:51.570]  But I think also like some of this research, I found that in some cases that actually invalidates that assumption that something's been fixed. Because sometimes people will fix something by just, you know, checking out the URLs HTTPS
[22:52.450 --> 22:58.970]  and leaving the fix there, whereas here you can actually go back and unfix those vulnerabilities.
[23:03.010 --> 23:16.030]  Question earlier about what was your motivation with getting into this? And I was looking over your GitHub. And I think I see a lot of, you know, interesting things that go a little bit deeper into this with more information. Would you be willing to talk to us a little bit about what you have on there?
[23:17.190 --> 23:17.950]  Um,
[23:18.610 --> 23:19.750]  let's see.
[23:20.490 --> 23:22.210]  Trying to think what's on my GitHub.
[23:22.830 --> 23:24.270]  Putting you on the spot there.
[23:24.550 --> 23:25.310]  What?
[23:25.690 --> 23:28.110]  I said, we're really putting you on the spot today.
[23:28.110 --> 23:29.010]  Oh, yeah.
[23:30.190 --> 23:33.510]  Specifically about your TLS Poison repo?
[23:34.030 --> 23:36.810]  Oh, right. Yes, the TLS Poison repo.
[23:43.410 --> 23:46.950]  I posted the link if people want to take a look.
[23:47.150 --> 23:59.470]  Oh, yeah. Yeah, of course, the link's right there. And definitely like as people are going through these instructions, I've already had a couple of people reach out with some really good feedback on
[24:00.930 --> 24:06.710]  these instructions, because it's definitely like it's just a fair warning on setting this up. It's
[24:08.670 --> 24:17.450]  the instruction can be a little bit tough to work through just because you have to set up a couple of instances and DNS entries and a TLS certificate.
[24:19.170 --> 24:27.430]  So like if you're really committed with like infrastructure setup, then it might be a bit of a breeze. But I mean, otherwise, it can be a learning experience.
[24:28.170 --> 24:33.650]  But I definitely wrote these instructions up pretty hastily. So there's some rough edges.
[24:34.350 --> 24:44.450]  Cool. Also, along the lines of a learning experience, one question that I've been asking a few of the other speakers that have been doing research.
[24:44.450 --> 25:03.210]  How do you get started? Like if you're somebody that's new and really is interested in getting some kind of research angle, or maybe they want to speak at DEF CON one day. So like, how do I find that next thing? And how do I actually, you know, jump in and find something to research and where do I start?
[25:04.030 --> 25:13.670]  Yeah, um, I think one thing, especially with vulnerabilities, like, you know, there's just like vulnerabilities like that.
[25:14.950 --> 25:30.850]  You know, just opening up Wireshark, right? And, you know, say there's like some IoT device on your network, trying to get Wireshark to see what the IoT device is doing, or just see what some piece of software is doing.
[25:31.490 --> 25:40.390]  Or, I mean, honestly, just anytime you can intercept traffic and pick it apart and look at what stuff is doing, that's really helpful.
[25:40.390 --> 25:42.690]  I think actually even the first
[25:44.190 --> 25:46.390]  The first discovery of this was
[25:46.390 --> 25:57.070]  I'm just remembering, it was when I was doing srf, and I accidentally had an HTTP endpoint
[25:57.070 --> 26:08.210]  that I fed an HTTPS URL. And I got an error, like Flask was saying, a bunch of random characters,
[26:08.210 --> 26:12.650]  but that's not a valid request method. And I'm like, that's an interesting error.
[26:13.130 --> 26:18.890]  Then, opening up Wireshark and seeing, what are some fields here I can use?
[26:18.890 --> 26:29.570]  And, of course, previously people used S9 field, but there may even be more stuff here.
[26:30.630 --> 26:36.570]  As well as, I mean, just TLS is really complicated. So,
[26:37.290 --> 26:40.270]  there's definitely a lot of angles to explore with.
[26:40.990 --> 26:45.110]  Totally sounds like there's a lot of research to still be done. And if people kind of wanted
[26:45.110 --> 26:48.290]  to contribute to what you're already working on and start working together,
[26:48.290 --> 26:52.050]  is that something you're looking towards, or a way for them to best do it?
[26:52.510 --> 27:00.710]  Oh, yeah. So, I mean, if anyone has, I mean, has just the time and ability to
[27:03.090 --> 27:07.870]  make this repo a little bit easier to set up, whether that's infrastructure as code,
[27:07.870 --> 27:14.830]  or just better documentation, or introductory read-me's, that's definitely welcome.
[27:18.120 --> 27:22.600]  To the end of the time we have together, besides the GitHub, what is the best way for people to
[27:22.600 --> 27:26.740]  be able to reach out with any other questions, or if they hit issues when they're trying to
[27:26.740 --> 27:30.860]  get this set up on their own? Oh, yeah. So, my Twitter,
[27:32.420 --> 27:40.600]  joshmdx, same as my username on this DEF CON server. And I believe my direct messages are
[27:40.600 --> 27:46.760]  open at least on Twitter. You can also send me a friend request, or try to reach out on
[27:46.760 --> 27:53.360]  the Discord, too. Thanks for taking the time to answer these questions. And, yeah, hopefully we'll
[27:53.360 --> 27:57.760]  see you again next year. It seems like you're on a roll with the subject. All right. Thank you.
[27:57.760 --> 27:59.620]  Thank you, everyone, for watching. Thanks, Josh.
